Follow

Q&A: Does Silverline WAF automatically update attack signatures?

 

Question

  • How often does Silverline update their attack signatures?
  • What is the process for updating the attack signatures?

 

Environment

  • Silverline WAF
  • Module/Attack Signatures

 

Answer

Yes, the Silverline WAF automatically updates attack signatures. CVEs are checked every day and signatures are updated based on urgency/criticality accordingly.

Updating the signatures is a multi-stage process:

1) The ASM Product Development Team releases a signature update.

2) Silverline reviews the details of update and makes a determination as to the urgency of installing the update and whether emergency (i.e. immediate) installation is justified.  An emergency installation would be justified if, for example, the update contains protections for a critical CVE that is being actively exploited.

3) Otherwise, a burn-in period of 7-14 days is allowed to elapse, during which the operational impact of the update is reviewed (i.e. outside of Silverline).

4) The signature update manifest is posted in the Silverline Knowledge Base's Release Notes section with proposed deployment time.

  • Typically ~24 hours prior to the signature update deployment time
  • Example of how the notice appears in the Release Notes section:
    • Screen_Shot_2020-05-19_at_8.40.44_AM.png
  • To receive these notifications of signature updates to your email, subscribe to Release Notes.

5) The signature update is performed by Silverline Ops Teams one DC at a time, during which diligent monitoring is performed. 

6) To move attack signatures from staging to enforcement, perform an analysis of any violations occurring on those staged signatures, remediate any false positives, and then ask Silverline SOC to move the staged signatures to enforcement. 

7) Should you require some help assessing passed violations, you can also Open a ticket with SOC and request assistance.

  • Note that recent signature updates have resulted in a very low incidence of introducing false positives.

8) A signature update maybe rolled back if a significant number of false positives are introduced.  This has never been required to-date.

 

Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request